In the Sub Groups section, select the groups you want to be subgroups of this group.

You can also add subgroups to groups by dragging the group onto the main group.

In the Roles section, configure the roles you require for this group of users according to the consoles you want them to be able to access and the tasks you want them to be able to perform. You must assign at least one role. See Section 4.2.4, Configuring Roles for more details.

In the Audit Manager section, specify the details of the group’s manager.

Click Finish.

4.2.3 Configuring a Help Desk Group

The help desk role allows a predefined set of attributes to be set on the Account Settings page so that users assigned to the help desk group can only manage the subset of user attributes.

Framework User Roles

The following roles can be assigned to the authentication module in order to control access to the Framework User Manager console. Select from these roles when you are setting up a group to manage Framework Manager users and groups.

View and modify superusers, and view and modify groups with the super role defined.

*

Perform all roles.

Audit Report Roles

The following roles can be assigned to the auditing module in order to control access to the Reporting console. Select from these roles when you are setting up a group to manage the command control reports.

Module

Role

Allows users to

audit

read

Read the audit database.

This role must be used with all other audit roles.

console

View the Reporting console.

admin

Modify reporting settings.

command

View Command Control reports.

logon

View Account Logon reports.

*

Perform all roles.

write

Create new audit reports and adjust filter settings.

report

Access reports with the report defined roles.

<report defined>

Read and update the reports defined in the General tab of the Reporting console.

This role is only useful when used in conjunction with the report role.

You can use these Audit Report roles to create the following types of audit managers:

Administrator:
To allow the group to update all aspects of the auditing module, including encryption and rollover, the group needs to be assigned the following roles for the audit module:

admin

write

read

command

console

Manager:
To allow the group to update all aspects of the auditing module, except encryption and rollover, the group needs to be assigned the following roles for the audit module:

write

read

command

console

User:
To allow the group to read and update a specific report, the group needs to be assigned the following roles for the audit module:

command

console

report

<report defined read>

<report defined update>

If you want the group to have read-only privileges to the report, do no assign the <report defined update> role. Users with read-only rights to a report can view the report from the console, view the keystroke sessions within the report, and select which audit databases to view (see the LogFiles tab). Users who also have the update right can update the report’s filter, its name, and its description.

Each report allows you to specify a read role and an update role. You need to remember those names and manually enter them here. The console does not provide any error checking, so you need to make sure to enter the correct name. For information on how to enable a report for a role, see Section 6.4.4, Modifying General Report Information.

Compliance Auditor Roles

The following roles can be assigned to the compliance auditing module in order to control access to the Compliance Auditor console. For a group to manage compliance auditing, the group also needs read roles to the auditing and authentication modules.

Module

Role

Allows users to

secaudit

console

View the Compliance Auditor console.

audit

View and edit records.

admin

Add and modify audit rules.

*

Perform the console, audit, and admin roles.

<audit role name >

Access the records collected by audit rules with this role defined in the Audit Role field on the Modify Audit Rule page. You can choose your own name for the role.

Extract user credentials, including name and e-mail address, from the auth database for use with reports.

Host Roles

The following roles can be assigned to the host module in order to control access to the Hosts console. Select from the following roles when creating a group to manage the hosts.

Module

Role

Allows users to

unifi

info

Run the host status check by using the command line interface.

You must type the word info because it is not available in the drop-down list.

admin

View the Hosts console and perform administrative actions.

Package Manager Roles

The following role can be assigned to the package manager module in order to control access to the Package Manager console. When you are creating a group that you want to manage the distribution of updates to Privileged User Manager, select the following:

Module

Role

Allows users to

pkgman

admin

View, add, update, or remove packages.

Command Control Roles

The following roles can be assigned to the command control module in order to control access to the Command Control console. Select from the following roles when you are creating a group that you want to manage and test the rules in the command control database.

Module

Role

Allows users to

cmdctrl

read

View the Command Control console and run test suites.

write

Modify the command control database. Users with this role cannot cancel other users’ transactions or modify audit or transaction settings.

Must be used in conjunction with the cmdctrl read role.

admin

Modify the Command Control database, including canceling other users’ transactions and modifying audit and transaction settings.

*

Perform all roles.

auth

read

Extract user credentials, including name and e-mail address, from the auth database into the account and user group definitions. Used in conjunction with the cmdctrl write (with read) and admin roles.

Distribution Roles

The following roles can be assigned to the distribution module in order to restrict the installation and deployment of certain packages.

Module

Role

Allows users to

distrib

acl

Restricts deployment of packages to specified modules.

Module:rexec

Install or patch the Command Control Agent (rexec).

Module:distrib

Install or patch the Distribution Agent (distrib).

Module:regclnt

Install or patch the Registry Agent (reglcnt).

Module:strfwd

Install or patch the Store and Forward Agent (strfwd).

Module:sysinfo

Install or patch the System Information Agent (sysinfo).

All modules can be allowed by following the above configuration of Module:<desired-package-name>.